REST APIs & Microservices interview questions & answers
What are the most common REST APIs & Microservices interview questions?
A REST API is a web interface that exposes resources over HTTP using standard methods and a stateless, client-server model, returning data typically as JSON. Microservices split an application into small, independently deployable services that communicate over such APIs. Interviews test REST principles, HTTP methods and status codes, idempotency and statelessness, authentication, versioning, and how services talk to each other.
Updated 2026-06-18 · 15 real, commonly-asked questions with answers.
Key takeaways
- A REST API is a web interface that exposes resources over HTTP using standard methods and a stateless, client-server model, returning data typically as JSON.
- Core areas to revise for REST APIs & Microservices: REST principles & resources, HTTP methods & status codes, Idempotency & statelessness, Authentication & authorization, API versioning.
- This guide answers 15 of the most-asked REST APIs & Microservices interview questions — rehearse them in OnJob's free AI mock interview.
Top 15 REST APIs & Microservices interview questions
Q1.What is a REST API?
REST (Representational State Transfer) is an architectural style for web APIs that models everything as resources identified by URLs and manipulated with standard HTTP methods. It is stateless, meaning each request carries all the information needed and the server keeps no client session between requests. Responses are typically JSON, and the design favors a uniform, predictable interface.
Q2.What are the main HTTP methods and what do they do?
GET retrieves a resource without changing it; POST creates a new resource; PUT replaces a resource entirely; PATCH partially updates a resource; and DELETE removes it. GET, PUT, PATCH, and DELETE map to read, full update, partial update, and delete, while POST is the non-idempotent create. Using the correct method conveys intent and enables caching and safe retries.
Q3.What does idempotency mean and which methods are idempotent?
An operation is idempotent if making the same request multiple times has the same effect as making it once. GET, PUT, and DELETE are idempotent: repeating them leaves the resource in the same state. POST is not idempotent, because each call typically creates a new resource. Idempotency matters for safely retrying requests after network failures.
Q4.What is the difference between PUT and PATCH?
PUT replaces the entire resource with the payload you send, so omitted fields are typically removed or reset, and it is idempotent. PATCH applies a partial update, modifying only the fields you include and leaving the rest unchanged. Use PUT when you send the full representation and PATCH when you send only the changes.
Q5.What does it mean that REST is stateless?
Statelessness means the server does not store any client context between requests; every request must contain all the information needed to process it, such as authentication tokens. This makes the API easier to scale horizontally, because any server can handle any request without shared session state, and improves reliability since there is no session to lose. Client state lives on the client.
Q6.Explain common HTTP status code categories.
Status codes are grouped by their first digit: 2xx means success (200 OK, 201 Created, 204 No Content); 3xx means redirection (301 Moved Permanently, 304 Not Modified); 4xx means client error (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found); and 5xx means server error (500 Internal Server Error, 503 Service Unavailable). They tell the client whether and why a request succeeded or failed.
Q7.What is the difference between 401 and 403 status codes?
401 Unauthorized means the request lacks valid authentication credentials, so the client is not identified, and it should authenticate and try again. 403 Forbidden means the server understood the request and knows who the client is, but that authenticated client does not have permission to access the resource. In short, 401 is about authentication, 403 is about authorization.
Q8.What is the difference between REST and GraphQL?
REST exposes multiple endpoints, each returning a fixed data structure, which can lead to over-fetching or under-fetching and multiple round trips. GraphQL exposes a single endpoint where the client specifies exactly the fields it needs in one query, avoiding over-fetching. REST is simpler and cache-friendly with HTTP; GraphQL is flexible for complex, nested data but shifts complexity to the server and caching.
Q9.What is API versioning and why is it needed?
API versioning lets you evolve an API without breaking existing clients by serving different versions side by side. Common approaches include putting the version in the URL path (/v1/users), in a request header, or in a query parameter. It is needed because once clients depend on an API's shape, changing it abruptly would break them, so versioning provides a controlled migration path.
Q10.What is the difference between authentication and authorization?
Authentication verifies who you are, confirming identity through credentials like a password, token, or certificate. Authorization determines what you are allowed to do once authenticated, controlling access to specific resources or actions. Authentication comes first and answers who, while authorization follows and answers what permissions you have.
Q11.What is a microservices architecture and how does it compare to a monolith?
A monolith is a single, unified application where all functionality is deployed together. Microservices split the application into small, independently deployable services, each owning a business capability and its own data, communicating over APIs. Microservices allow independent scaling, deployment, and technology choices but add operational complexity, network latency, and harder distributed debugging compared to a monolith.
Q12.How do microservices communicate with each other?
Microservices communicate synchronously over HTTP/REST or gRPC, where one service calls another and waits for a response, or asynchronously through a message broker or event queue (like Kafka or RabbitMQ), where services publish and consume events without waiting. Synchronous calls are simpler but create coupling and latency chains; asynchronous messaging decouples services and improves resilience.
Q13.What is statelessness's role in scaling an API?
Because a stateless API stores no session data on the server, any instance can handle any request, so you can add or remove server instances freely behind a load balancer. This horizontal scaling is straightforward since there is no need to route a user to a specific server holding their session. Any shared state is pushed to a database, cache, or token instead.
Q14.What is an API gateway in a microservices system?
An API gateway is a single entry point that sits in front of multiple microservices, routing client requests to the appropriate service. It centralizes cross-cutting concerns like authentication, rate limiting, request aggregation, SSL termination, and logging, so individual services do not each reimplement them. It also hides the internal service structure from clients, presenting a unified API.
Q15.What is the difference between PUT being idempotent and POST not being idempotent in practice?
If you send the same PUT to update a user's email three times, the user ends with that one email; the repeated calls do not pile up changes, so a retry after a timeout is safe. If you send the same POST to create an order three times, you may create three orders, so retries are risky. This is why create endpoints often add an idempotency key to make retries safe.
More interview topics
- Data Structures & Algorithms (DSA)
- DBMS (Database Management)
- Operating Systems
- Computer Networks
- OOP (Object-Oriented Programming)
- System Design
- SQL
- Aptitude (Quantitative & Logical)
- Java
- Python
- JavaScript
- React
- AWS (Amazon Web Services)
- Docker
- Kubernetes
- Node.js
- Angular
- TypeScript
- Git & Version Control
- Machine Learning
- Behavioral & HR
Practise & prepare
Practise REST APIs & Microservices out loud
Reading answers is step one. Rehearse them in OnJob's free AI mock interview, get instant feedback, then apply to AI-matched jobs in one click.